1

Implementing Monitoringand Reporting

2

Why Should Implement Monitoring?

• One of the biggest complaints we hear about firewall products from almost all vendors concerns the monitoring and reporting capabilities

• Network administrators need to be able to track attempted intrusions and attacks from outside

3

Log and report• Awareness of failed or successful intrusions and attacks so

you can take additional preventative measures• Evidentiary documentation for forensics purposes when

pursuing civil or criminal actions against intruders, attackers or insiders who misuse the network

• Tracking of bandwidth usage for planning expansion of the network

• Establishment of performance benchmarks for planning future capacity requirements

• Justification to management for budgetary considerations• Paper trail for management and outside regulatory agencies

to show compliance with policies and regulations

4

Planning a Monitoring and Reporting

• Monitoring traffic flow between networks• Troubleshooting network connectivity• Investigating attacks• Planning

5

Monitoring in ISA 2006

• How to use the ISA 2006 Dashboard (section by section)• How to create and configure notification alerts• How to monitor sessions and services on the ISA Firewall• How to configure logs and generate reports• How to use the ISA Firewall performance monitor (a

specially-configured instance• of the Windows Server System Monitor that is installed

with ISA Firewall)• How to preserve log information prior to an ISA 2004

upgrade

6

Exploring the ISA 2006 Dashboard

7

Dashboard Sections

• Connectivity• Services• Reports• Alerts• Sessions• System Performance

8

Dashboard Connectivity SectionMonitor connections between the ISAFirewall machine and other computersMonitor connections between the ISAFirewall machine and other computers

9

Dashboard Services Sectionquickly check the status of theservices

quickly check the status of theservices

10

Dashboard Reports Section determine whether scheduled or manually generated reports have finished generating determine whether scheduled or manually generated reports have finished generating

11

Dashboard Alerts Sectionquickly determine the events that havebeen logged on the ISA Firewall computerquickly determine the events that havebeen logged on the ISA Firewall computer

12

Dashboard Sessions Sectioneasy to see, at a glance, the session typesand number of sessions that are currently active through the ISA 2006

easy to see, at a glance, the session typesand number of sessions that are currently active through the ISA 2006

13

Dashboard System Performance SectionView of the two most important performance:

•Allowed packets per second (times 10)• Dropped packets per second

View of the two most important performance:•Allowed packets per second (times 10)• Dropped packets per second

14

Creating and Configuring ISA 2006 Alerts

• ISA Firewall’s alerting function means that can be notified of important ISA-related events as soon as they are detected

• Viewing the Predefined Alerts

15

Creating a New AlertSelecting Events and

Conditions to Trigger an Alert

Selecting Events and Conditions to Trigger an

Alert

16

Creating a New AlertAssigning a Category and

Selecting a Severity Level for your New Alert

Assigning a Category and Selecting a Severity Level for

your New Alert

17

Creating a New Alert

Defining Actions to be Performed when the Alert

is Triggered

Defining Actions to be Performed when the Alert

is Triggered

18

Creating a New AlertSending E-Mail Notification Messages

Running a Program when an Alert is Triggered

19

Viewing Alerts that have been Triggered

20

Monitoring ISA 2006 Connectivity,Sessions, and Services

Configuring and Monitoring Connectivity• Ping• TCP Connect• HTTP Request

21

Monitoring ISA 2006 Connectivity,Sessions, and Services

• Creating Connectivity Verifiers

22

Monitoring Sessions

Information about each session:• Date and time the session was activated• Session type (Firewall, Web Proxy, SecureNAT

client, VPN client, or Remote VPN site)• Client IP address• Source network• Client user name (if authentication is required)• Client host name (for Firewall Client sessions)• Application name (for Firewall Client sessions)• Server name (name of the ISA Firewall)

23

Monitoring Sessions

24

Working with ISA Firewall Logsand Reports

• ISA Firewall 2006 logs all components by default. These logs include Web Proxy and Firewall Service

• Log Types: • Logging to an MSDE Database: display

information saved in an MSDE database• Logging to a SQL Server: allows you to use

standard SQL tools to query the database• Logging to a File :display information about the

version,l og date, and logged fields of files

25

How to Configure Logging

26

How to Configure Logging

Confi guring Log Storage FormatConfiguring MSDE Database Logging

27

How to Use the Log ViewerThe Log Viewer with Default

FilterThe Log Viewer with Default

Filter

28

Generating, Viewing, and Publishing Reports with ISA 2006